teknoraver / rpms / rpm

Forked from rpms/rpm 3 months ago
Clone

Blame SOURCES/rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch

a5e32e
From b66422161d68ed7f7b1cb30e4db900bf42bed146 Mon Sep 17 00:00:00 2001
a5e32e
From: Panu Matilainen <pmatilai@redhat.com>
a5e32e
Date: Mon, 29 Nov 2021 14:01:39 +0200
a5e32e
Subject: [PATCH 1/4] Add Python bindings for rpmfilesFSignature()
a5e32e
a5e32e
Only, use more descriptive names than the C-side counterparts.
a5e32e
Python has nice facilities for dealing with binary data so return it
a5e32e
as such rather than converting to hex.
a5e32e
a5e32e
Backported for 4.16.1.3 (removed rpmfilesVSignature()).
a5e32e
---
a5e32e
 python/rpmfiles-py.c | 18 ++++++++++++++++++
a5e32e
 1 file changed, 18 insertions(+)
a5e32e
a5e32e
diff --git a/python/rpmfiles-py.c b/python/rpmfiles-py.c
a5e32e
index 27666021d..48189a0ac 100644
a5e32e
--- a/python/rpmfiles-py.c
a5e32e
+++ b/python/rpmfiles-py.c
a5e32e
@@ -152,6 +152,22 @@ static PyObject *rpmfile_digest(rpmfileObject *s)
a5e32e
     Py_RETURN_NONE;
a5e32e
 }
a5e32e
 
a5e32e
+static PyObject *bytebuf(const unsigned char *buf, size_t len)
a5e32e
+{
a5e32e
+    if (buf) {
a5e32e
+	PyObject *o = PyBytes_FromStringAndSize((const char *)buf, len);
a5e32e
+	return o;
a5e32e
+    }
a5e32e
+    Py_RETURN_NONE;
a5e32e
+}
a5e32e
+
a5e32e
+static PyObject *rpmfile_imasig(rpmfileObject *s)
a5e32e
+{
a5e32e
+    size_t len = 0;
a5e32e
+    const unsigned char *sig = rpmfilesFSignature(s->files, s->ix, &len;;
a5e32e
+    return bytebuf(sig, len);
a5e32e
+}
a5e32e
+
a5e32e
 static PyObject *rpmfile_class(rpmfileObject *s)
a5e32e
 {
a5e32e
     return utf8FromString(rpmfilesFClass(s->files, s->ix));
a5e32e
@@ -278,6 +294,8 @@ static PyGetSetDef rpmfile_getseters[] = {
a5e32e
       "language the file provides (typically for doc files)" },
a5e32e
     { "caps",		(getter) rpmfile_caps,		NULL,
a5e32e
       "file capabilities" },
a5e32e
+    { "imasig",	(getter) rpmfile_imasig,	NULL,
a5e32e
+      "IMA signature" },
a5e32e
     { NULL, NULL, NULL, NULL }
a5e32e
 };
a5e32e
 
a5e32e
-- 
a5e32e
2.35.1
a5e32e
a5e32e
From 9c4622998d3d0666edbea3ed1ae518502c3ed987 Mon Sep 17 00:00:00 2001
a5e32e
From: Panu Matilainen <pmatilai@redhat.com>
a5e32e
Date: Mon, 7 Feb 2022 11:52:55 +0200
a5e32e
Subject: [PATCH 2/4] Add a testcase for --dump query
a5e32e
a5e32e
---
a5e32e
 tests/rpmquery.at | 18 ++++++++++++++++++
a5e32e
 1 file changed, 18 insertions(+)
a5e32e
a5e32e
diff --git a/tests/rpmquery.at b/tests/rpmquery.at
a5e32e
index 9a4f1cb76..9bd391ac5 100644
a5e32e
--- a/tests/rpmquery.at
a5e32e
+++ b/tests/rpmquery.at
a5e32e
@@ -83,6 +83,24 @@ hello.spec
a5e32e
 [ignore])
a5e32e
 AT_CLEANUP
a5e32e
 
a5e32e
+AT_SETUP([rpm -qp --dump])
a5e32e
+AT_KEYWORDS([query])
a5e32e
+AT_CHECK([
a5e32e
+RPMDB_INIT
a5e32e
+runroot rpm \
a5e32e
+  -qp --dump \
a5e32e
+  /data/RPMS/hello-2.0-1.x86_64.rpm
a5e32e
+],
a5e32e
+[0],
a5e32e
+[/usr/bin/hello 7120 1489670606 c89fa87aeb1143969c0b6be9334b21d932f77f74e8f60120b5de316406369cf0 0100751 root root 0 0 0 X
a5e32e
+/usr/share/doc/hello-2.0 4096 1489670606 0000000000000000000000000000000000000000000000000000000000000000 040755 root root 0 0 0 X
a5e32e
+/usr/share/doc/hello-2.0/COPYING 48 908894882 fac3b28492ecdc16da172a6f1a432ceed356ca4d9248157b2a962b395e37b3b0 0100644 root root 0 1 0 X
a5e32e
+/usr/share/doc/hello-2.0/FAQ 36 908895030 678b87e217a415f05e43460e2c7b668245b412e2b4f18a75aa7399d9774ed0b4 0100644 root root 0 1 0 X
a5e32e
+/usr/share/doc/hello-2.0/README 39 908884468 d63fdc6c986106f57230f217d36b2395d83ecf491d2b7187af714dc8db9629e9 0100644 root root 0 1 0 X
a5e32e
+],
a5e32e
+[])
a5e32e
+AT_CLEANUP
a5e32e
+
a5e32e
 # ------------------------------
a5e32e
 AT_SETUP([rpmspec -q])
a5e32e
 AT_KEYWORDS([query])
a5e32e
-- 
a5e32e
2.35.1
a5e32e
a5e32e
From 9b2bc10881db7691439005fd74ea53d75b15ac76 Mon Sep 17 00:00:00 2001
a5e32e
From: Panu Matilainen <pmatilai@redhat.com>
a5e32e
Date: Thu, 10 Feb 2022 11:15:04 +0200
a5e32e
Subject: [PATCH 3/4] Ensure sane string lengths for file digests from header
a5e32e
a5e32e
---
a5e32e
 lib/rpmfi.c | 4 ++++
a5e32e
 1 file changed, 4 insertions(+)
a5e32e
a5e32e
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
a5e32e
index af428468c..2dffab3aa 100644
a5e32e
--- a/lib/rpmfi.c
a5e32e
+++ b/lib/rpmfi.c
a5e32e
@@ -1501,6 +1501,10 @@ static uint8_t *hex2bin(Header h, rpmTagVal tag, rpm_count_t num, size_t len)
a5e32e
 		t += len;
a5e32e
 		continue;
a5e32e
 	    }
a5e32e
+	    if (strlen(s) != len * 2) {
a5e32e
+		bin = rfree(bin);
a5e32e
+		break;
a5e32e
+	    }
a5e32e
 	    for (int j = 0; j < len; j++, t++, s += 2)
a5e32e
 		*t = (rnibble(s[0]) << 4) | rnibble(s[1]);
a5e32e
 	}
a5e32e
-- 
a5e32e
2.35.1
a5e32e
a5e32e
From ddfed9e1842a1b60a8c40de3a18add6f6d68c515 Mon Sep 17 00:00:00 2001
a5e32e
From: Panu Matilainen <pmatilai@redhat.com>
a5e32e
Date: Mon, 29 Nov 2021 14:01:39 +0200
a5e32e
Subject: [PATCH 4/4] Fix IMA signature fubar, take III (#1833, RhBug:2018937)
a5e32e
a5e32e
At least ECDSA and RSA signatures can vary in length, but the IMA code
a5e32e
assumes constant lengths and thus may either place invalid signatures on
a5e32e
disk from either truncating or overshooting, and segfault if the stars are
a5e32e
just so.
a5e32e
a5e32e
As we can't assume static lengths and attempts to use maximum length
a5e32e
have proven problematic for other reasons, use a data structure that
a5e32e
can actually handle variable length data properly: store offsets into
a5e32e
the decoded binary blob and use them to calculate lengths when needed,
a5e32e
empty data is simply consequtive identical offsets. This avoids a whole
a5e32e
class of silly overflow issues with multiplying, makes zero-length data
a5e32e
actually presentable in the data structure and saves memory too.
a5e32e
a5e32e
Add tests to show behavior with variable length signatures and missing
a5e32e
signatures.
a5e32e
a5e32e
Additionally update the signing code to store the largest IMA signature
a5e32e
length rather than what happened to be last to be on the safe side.
a5e32e
We can't rely on this value due to invalid packages being out there,
a5e32e
but then we need to calculate the lengths on rpmfiles populate so there's
a5e32e
not a lot to gain anyhow.
a5e32e
a5e32e
Fixes: #1833
a5e32e
a5e32e
Backported for 4.16.1.3.  Note that the test case has been removed due
a5e32e
to it including a binary file (test package) for which we'd have to use
a5e32e
-Sgit with %autopatch and thus depend on git-core at build time.
a5e32e
Nevertheless, we do have this BZ covered in our internal test suite, so
a5e32e
no need for it anyway.
a5e32e
---
a5e32e
 lib/rpmfi.c         | 61 +++++++++++++++++++++++++++++++++++++++------
a5e32e
 sign/rpmsignfiles.c |  5 +++-
a5e32e
 2 files changed, 58 insertions(+), 8 deletions(-)
a5e32e
a5e32e
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
a5e32e
index 2dffab3aa..77e73442c 100644
a5e32e
--- a/lib/rpmfi.c
a5e32e
+++ b/lib/rpmfi.c
a5e32e
@@ -115,7 +115,7 @@ struct rpmfiles_s {
a5e32e
     struct fingerPrint_s * fps;	/*!< File fingerprint(s). */
a5e32e
 
a5e32e
     int digestalgo;		/*!< File digest algorithm */
a5e32e
-    int signaturelength;	/*!< File signature length */
a5e32e
+    uint32_t *signatureoffs;	/*!< File signature offsets */
a5e32e
     unsigned char * digests;	/*!< File digests in binary. */
a5e32e
     unsigned char * signatures; /*!< File signatures in binary. */
a5e32e
 
a5e32e
@@ -574,10 +574,15 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len)
a5e32e
     const unsigned char *signature = NULL;
a5e32e
 
a5e32e
     if (fi != NULL && ix >= 0 && ix < rpmfilesFC(fi)) {
a5e32e
-	if (fi->signatures != NULL)
a5e32e
-	    signature = fi->signatures + (fi->signaturelength * ix);
a5e32e
+	size_t slen = 0;
a5e32e
+	if (fi->signatures != NULL && fi->signatureoffs != NULL) {
a5e32e
+	    uint32_t off = fi->signatureoffs[ix];
a5e32e
+	    slen = fi->signatureoffs[ix+1] - off;
a5e32e
+	    if (slen > 0)
a5e32e
+		signature = fi->signatures + off;
a5e32e
+	}
a5e32e
 	if (len)
a5e32e
-	    *len = fi->signaturelength;
a5e32e
+	    *len = slen;
a5e32e
     }
a5e32e
     return signature;
a5e32e
 }
a5e32e
@@ -1257,6 +1262,7 @@ rpmfiles rpmfilesFree(rpmfiles fi)
a5e32e
 	fi->flangs = _free(fi->flangs);
a5e32e
 	fi->digests = _free(fi->digests);
a5e32e
 	fi->signatures = _free(fi->signatures);
a5e32e
+	fi->signatureoffs = _free(fi->signatureoffs);
a5e32e
 	fi->fcaps = _free(fi->fcaps);
a5e32e
 
a5e32e
 	fi->cdict = _free(fi->cdict);
a5e32e
@@ -1485,6 +1491,48 @@ err:
a5e32e
     return;
a5e32e
 }
a5e32e
 
a5e32e
+/*
a5e32e
+ * Convert a tag of variable len hex strings to binary presentation,
a5e32e
+ * accessed via offsets to a contiguous binary blob. Empty values
a5e32e
+ * are represented by identical consequtive offsets. The offsets array
a5e32e
+ * always has one extra element to allow calculating the size of the
a5e32e
+ * last element.
a5e32e
+ */
a5e32e
+static uint8_t *hex2binv(Header h, rpmTagVal tag, rpm_count_t num,
a5e32e
+			uint32_t **offsetp)
a5e32e
+{
a5e32e
+    struct rpmtd_s td;
a5e32e
+    uint8_t *bin = NULL;
a5e32e
+    uint32_t *offs = NULL;
a5e32e
+
a5e32e
+    if (headerGet(h, tag, &td, HEADERGET_MINMEM) && rpmtdCount(&td) == num) {
a5e32e
+	const char *s;
a5e32e
+	int i = 0;
a5e32e
+	uint8_t *t = bin = xmalloc(((rpmtdSize(&td) / 2) + 1));
a5e32e
+	offs = xmalloc((num + 1) * sizeof(*offs));
a5e32e
+
a5e32e
+	while ((s = rpmtdNextString(&td))) {
a5e32e
+	    uint32_t slen = strlen(s);
a5e32e
+	    uint32_t len = slen / 2;
a5e32e
+	    if (slen % 2) {
a5e32e
+		bin = rfree(bin);
a5e32e
+		offs = rfree(offs);
a5e32e
+		goto exit;
a5e32e
+	    }
a5e32e
+	    offs[i] = t - bin;
a5e32e
+	    for (int j = 0; j < len; j++, t++, s += 2)
a5e32e
+		*t = (rnibble(s[0]) << 4) | rnibble(s[1]);
a5e32e
+	    i++;
a5e32e
+	}
a5e32e
+	offs[i] = t - bin;
a5e32e
+	*offsetp = offs;
a5e32e
+    }
a5e32e
+
a5e32e
+exit:
a5e32e
+    rpmtdFreeData(&td);
a5e32e
+    return bin;
a5e32e
+}
a5e32e
+
a5e32e
 /* Convert a tag of hex strings to binary presentation */
a5e32e
 static uint8_t *hex2bin(Header h, rpmTagVal tag, rpm_count_t num, size_t len)
a5e32e
 {
a5e32e
@@ -1580,9 +1628,8 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags)
a5e32e
     fi->signatures = NULL;
a5e32e
     /* grab hex signatures from header and store in binary format */
a5e32e
     if (!(flags & RPMFI_NOFILESIGNATURES)) {
a5e32e
-	fi->signaturelength = headerGetNumber(h, RPMTAG_FILESIGNATURELENGTH);
a5e32e
-	fi->signatures = hex2bin(h, RPMTAG_FILESIGNATURES,
a5e32e
-				 totalfc, fi->signaturelength);
a5e32e
+	fi->signatures = hex2binv(h, RPMTAG_FILESIGNATURES,
a5e32e
+				 totalfc, &fi->signatureoffs);
a5e32e
     }
a5e32e
 
a5e32e
     /* XXX TR_REMOVED doesn;t need fmtimes, frdevs, finodes */
a5e32e
diff --git a/sign/rpmsignfiles.c b/sign/rpmsignfiles.c
a5e32e
index b143c5b9b..372ba634c 100644
a5e32e
--- a/sign/rpmsignfiles.c
a5e32e
+++ b/sign/rpmsignfiles.c
a5e32e
@@ -98,8 +98,9 @@ rpmRC rpmSignFiles(Header sigh, Header h, const char *key, char *keypass)
a5e32e
     td.count = 1;
a5e32e
 
a5e32e
     while (rpmfiNext(fi) >= 0) {
a5e32e
+	uint32_t slen = 0;
a5e32e
 	digest = rpmfiFDigest(fi, NULL, NULL);
a5e32e
-	signature = signFile(algoname, digest, diglen, key, keypass, &siglen);
a5e32e
+	signature = signFile(algoname, digest, diglen, key, keypass, &slen);
a5e32e
 	if (!signature) {
a5e32e
 	    rpmlog(RPMLOG_ERR, _("signFile failed\n"));
a5e32e
 	    goto exit;
a5e32e
@@ -110,6 +111,8 @@ rpmRC rpmSignFiles(Header sigh, Header h, const char *key, char *keypass)
a5e32e
 	    goto exit;
a5e32e
 	}
a5e32e
 	signature = _free(signature);
a5e32e
+	if (slen > siglen)
a5e32e
+	    siglen = slen;
a5e32e
     }
a5e32e
 
a5e32e
     if (siglen > 0) {
a5e32e
-- 
a5e32e
2.35.1
a5e32e